Outbound Rules Service Blocking | NETGEAR fvs114 instruction

Reference Manual for the ProSafe VPN Firewall FVS114

Considerations for Inbound Rules

•If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network.

•If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the PC’s IP address constant.

•Each local PC must access the local server using the PC’s local LAN address (192.168.0.99 in this example). Attempts by local PCs to access the server using the external WAN IP address will fail.

Outbound Rules (Service Blocking)

The FVS114 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on:

•IP address of the local PC (source address)

•IP address of the Internet site being contacted (destination address)

•Time of day

•Type of service being requested (service port number)

Following is an application example of an outbound rule:

4-8	Firewall Protection and Content Filtering

202-10098-01, April 2005

Image 46

NETGEAR fvs114 manual Outbound Rules Service Blocking, Considerations for Inbound Rules

Contents

Reference Manual for the ProSafe VPN Firewall FVS114 EN 55 022 Declaration of Conformance TrademarksStatement of Conditions Certificate of the Manufacturer/Importer Product and Publication Details 202-10098-01, April Contents Chapter Firewall Protection Content Filtering Chapter Advanced Virtual Private Networking Chapter Advanced Configuration Appendix C Virtual Private Networking Appendix D Preparing Your Network Contents Xii Contents Typographical Conventions Chapter About This ManualAudience, Scope, Conventions, and Formats Manual Scope How to Use This Manual Printing a Chapter How to Print this ManualPrinting a Page in the Html View Printing the Full Manual Reference Manual for the ProSafe VPN Firewall FVS114 Key Features of the VPN Firewall Chapter Introduction Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents FVS114 Rear Panel LED Descriptions Netgear Product Registration, Support, and Documentation DC power input ON/OFF switchNETGEAR-Related Products NETGEAR-Related Products Reference Manual for the ProSafe VPN Firewall FVS114 Prepare to Install Your FVS114 ProSafe VPN Firewall Connecting the Firewall to the InternetFirst, Connect the FVS114 VPN Firewall Modem Restart Your Network in the Correct Sequence Now, Configure the FVS114 for Internet Access Status lights Netgear Smart Wizard Configuration Assistant welcome screen Be sure to restart your network in this sequence Troubleshooting TipsMake sure the network settings of the computer are correct Make sure the Ethernet cables are securely plugged Overview of How to Access the FVS114 VPN Firewall Ways to access the firewall Login URL How to Bypass the Configuration Assistant Login result FVS114 home Using the Smart Setup Wizard How to Manually Configure Your Internet Connection ISP Does Not Require Login Reference Manual for the ProSafe VPN Firewall FVS114 10 Basic Settings ISP list Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Firewall Protection Content Filtering Firewall Protection and Content Filtering Overview Block Sites Block Sites menu Using Rules to Block or Allow Specific Kinds of Traffic Rules menu Reference Manual for the ProSafe VPN Firewall FVS114 Inbound Rules Port Forwarding Inbound Rule Example a Local Public Web Server Rule example a local public Web server Outbound Rules Service Blocking Considerations for Inbound Rules Outbound Rule Example Blocking Instant Messenger Rule example blocking Instant Messenger Order of Precedence for Rules Rules table Services Services menu Add Custom Service menu Using a Schedule to Block or Allow Specific Traffic Schedule Time Zone Getting E-Mail Notifications of Event Logs and Alerts 10 E-mail menu Reference Manual for the ProSafe VPN Firewall FVS114 Viewing Logs of Web Access or Attempted Web Access 11 Logs menu Log action buttons are described in Table SyslogLog entries are described in Table Log entry descriptions Chapter Basic Virtual Private Networking VPN Tunnel Single Advanced methods see , Advanced Virtual Private Networking Configuration VPN Tunnel Configuring the Client-to-Gateway VPN Tunnel on the FVS114 VPN Wizard start screen Summary screen below displays Connection Name and Remote IP Type Vpnc Recommended Settings Configuring the Netgear ProSafe VPN Client on the Remote PC Select Secure in the Connection Security check box Security Policy Editor new connection 11 Security Policy Editor Security Policy 12 Security Policy Editor My Identity 13 Security Policy Editor Pre-Shared Key 15 Security Policy Editor Key Exchange 16 Running a Ping test to the LAN from the PC 18 Log Viewer screen Transferring a Security Policy to Another Client Exporting a Security Policy Select Export Security Policy from the File pulldown Importing a Security Policy Select the security policy to import Scenario1 FVS114 VPN Firewall PCs Procedure to Configure a Gateway-to-Gateway VPN Tunnel 23 VPN Wizard start screen 25 Remote IP 27 VPN Wizard Summary 28 VPN Recommended Settings 30 VPN Status/Log screen VPN Tunnel Control Start Using a VPN Tunnel to Activate ItUsing the VPN Status Page to Activate a VPN Tunnel Activating a VPN Tunnel Activate the VPN Tunnel by Pinging the Remote Endpoint 32 VPN Status/Log screen Type ping -t 192.168.3.1 and then click OK Type ping Verifying the Status of a VPN Tunnel 36 Pinging test results Deactivating a VPN Tunnel 38 Current VPN Tunnels SAs screen Using the VPN Status Page to Deactivate a VPN Tunnel 39 VPN Policies Deleting a VPN Tunnel 41 Current VPN Tunnels SAs screen Virtual Private Using Policies to Manage VPN Traffic Using Automatic Key Management IKE Policies’ Automatic Key and Authentication Management IKE Policy Configuration Menu IKE Policy Configuration fields Field Description General VPN Policy Configuration for Auto Key Negotiation Field Description Remote VPN Auto Policy menu VPN Auto Policy Configuration Fields VPN Auto Policy fields are defined in the following table Authenticating Header AH VPN Policy Configuration for Manual Key Exchange Netbios Enable VPN Manual Policy menu VPN Manual Policy Configuration Fields VPN Manual Policy fields are defined in the following table Value in its Authentication Algorithm Key Out field Netbios Enable Walk-Through of Configuration Scenarios on the FVS114 Certificate Revocation List CRL VPN Consortium Scenario From Settings menu Are IPv4 WAN IP addresses FVS114 Internet IP Address menu LAN IP Setup menu Set up the IKE Policy illustrated below on the FVS114 Scenario 1 IKE Policy Set up the FVS114 VPN -Auto Policy illustrated below 10 Scenario 1 VPN Auto Policy How to Check VPN Connections Testing the Gateway a FVS114 LAN and the Gateway B LAN Obtain a root certificate Install the trusted CA certificate for the Trusted Root CAFVS114 Scenario 2 FVS114 to FVS114 with RSA Certificates Create a certificate request for the FVS114 11 Generate Self Certificate Request menu Highlight, copy and paste this data into a text file 12 Self Certificate Request data Click the Upload Certificate button 13 Self Certificate Requests table 14 Self Certificates table Set up Certificate Revocation List CRL checking Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Maintenance Viewing VPN Firewall Status Information This screen shows the following parameters FVS114 Status fields Connection Status fields Click Show WAN Status to display the WAN connection statusThis screen shows the following statistics Connection Status action buttons WAN Status action buttons are described in the table below Click Show Statistics to display firewall usage statisticsRouter Statistics fields Viewing a List of Attached Devices Upgrading the Firewall Software Configuration File Management Router Upgrade menu Restoring the Configuration Backing Up the ConfigurationErasing the Configuration Changing the Administrator Password Diagnostics Diagnostics menu Ping or Trace an IP address Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Advanced Configuration WAN Setup Default DMZ Server Click Default DMZ Server How to Configure Dynamic DNSTo assign a computer or server to be a Default DMZ server Respond to Ping on Internet WAN Port Dynamic DNS Using the LAN IP Setup Options Configuring LAN TCP/IP Setup Parameters Reference Manual for the ProSafe VPN Firewall FVS114 Using the Firewall as a Dhcp server Using Address Reservation Configuring Static Routes Click Edit or Delete Static Routes table Enabling Remote Management Access Static Route Example Remote Management menu Https//134.177.0.1238080 UPnP UPnP menu Reference Manual for the ProSafe VPN Firewall FVS114 Power LED Not On Chapter TroubleshootingBasic Functioning LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the Web Configuration Interface Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall If the path is not working, you see this message Testing the Path from Your PC to a Remote DeviceIf the path is working, you see this message Ping -n 10 IP address Restoring the Default Configuration and Password Problems with Date and Time Reference Manual for the ProSafe VPN Firewall FVS114 Data and Routing Protocols Appendix a Technical SpecificationsPPP over Ethernet PPPoE 10BASE-T or 100BASE-Tx, RJ-45 Interface SpecificationsElectromagnetic Emissions Appendix B Network, Routing, and Firewall Basics Related Publications Basic Router Concepts Routing Information Protocol What is a Router?IP Addresses and the Internet Is normally written as Figure B-1 Three Main Address Classes Combined with NetmaskEquals Subnet Addressing Figure B-2 Example of Subnetting a Class B Address Table B-1 Netmask notation translation table for one octet Table B-2. Netmask formats Private IP Addresses Table B-2 Netmask formats Single IP Address Operation Using NAT Figure B-3 Single IP Address Operation Using NAT Related Documents MAC Addresses and Address Resolution ProtocolDomain Name Server IP Configuration by Dhcp Internet Security and Firewalls Ethernet Cabling What is a Firewall?Denial of Service Attack Stateful Packet Inspection Table B-3 UTP Ethernet cable wiring, straight-through Category 5 Cable Quality Inside Twisted Pair Cables Figure B-4illustrates straight-through twisted pair cable Uplink Switches, Crossover Cables, and MDI/MDIX Switching Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114 What is a VPN? Appendix C Virtual Private Networking IPSec Components What Is IPSec and How Does It Work?IPSec Security Features IPSec contains the following elements Encapsulating Security Payload ESP Authentication Header AH IKE Security Association Mode Understand the Process Before You Begin Key Management Addresses VPN Process OverviewIt functions as a Firewalls VPN Tunnel Between GatewaysTable C-2 Subnet addressing IPSec Security Association IKE VPN Tunnel Negotiation Steps IPSec Security Association SA negotiation Vpnc IKE Phase I Parameters Vpnc IKE Security Parameters Vpnc IKE Phase II Parameters Testing and TroubleshootingAdditional Reading Relevant RFCs listed numerically Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking Configuring Windows 95, 98, and Me for TCP/IP Networking Install or Verify Windows Networking Components Select Microsoft Select TCP/IP, and then click OK Choose Settings, and then Control Panel Enabling Dhcp to Automatically Configure TCP/IP SettingsRestart your PC for the changes to take effect Primary Network Logon is set to Windows logon Verifying TCP/IP Properties Selecting Windows’ Internet Access MethodClick OK to continue Restart the PC Configuring Windows NT4, 2000 or XP for IP Networking Double-click the Network and Dialup Connections icon Then, restart your PC Dhcp Configuration of TCP/IP in Windows XPLocate your Network Neighborhood icon Reference Manual for the ProSafe VPN Firewall FVS114 Dhcp Configuration of TCP/IP in Windows Reference Manual for the ProSafe VPN Firewall FVS114 Obtain an IP address automatically is selected Dhcp Configuration of TCP/IP in Windows NT4 Reference Manual for the ProSafe VPN Firewall FVS114 Verifying TCP/IP Properties for Windows XP, 2000, and NT4 TCP/IP Properties dialog box now displays MacOS 8.6 or Configuring the Macintosh for TCP/IP NetworkingDefault gateway is Type exit MacOS Verifying TCP/IP Properties for Macintosh Computers What Is Your Configuration Information? Are Login Protocols Used?Verifying the Readiness of Your Internet Account Select the IP Address tab Select the Gateway tab Reference Manual for the ProSafe VPN Firewall FVS114 Restarting the Network Reference Manual for the ProSafe VPN Firewall FVS114 List of Glossary Terms Numeric AES Packet sent to all devices on a network DNS See Internet Control Message Protocol Internet service provider Megabits per second Set of rules for communication between devices on a network Radius See Wide Area Network Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114